MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 d49a51bbc86b86267ada38ab192f88c8d7ee210cd430beef2cae3d7af00a4d5a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
ACRStealer
Vendor detections: 4
| SHA256 hash: | d49a51bbc86b86267ada38ab192f88c8d7ee210cd430beef2cae3d7af00a4d5a |
|---|---|
| SHA3-384 hash: | 97b3ac055288229eca0d17aeec041cbfdfb04eb6d6ca6270cc0a22eb77e5a7b1fa90c48b7a50ab6d0d2bd780cf6acd6e |
| SHA1 hash: | 927fd8ca657515e46fd20c9c3711132738b3cff8 |
| MD5 hash: | b576ea6088c89efcfa92b5865084f001 |
| humanhash: | oregon-finch-october-cola |
| File name: | 𝓓𝓸𝔀𝓷𝓵𝓸𝓪𝓭 ⟿ 𝐒𝐄𝐓𝐔𝐏 ⟿ 𝓒𝓸𝓶𝓹𝓵𝓮𝓽𝓮 - 0555.7z |
| Download: | download sample |
| Signature | ACRStealer |
| File size: | 6'766'602 bytes |
| First seen: | 2025-11-04 15:09:31 UTC |
| Last seen: | Never |
| File type: | 7z |
| MIME type: | application/x-7z-compressed |
| Note: | This file is a password protected archive. The password is: 0555 |
| ssdeep | 98304:AajDRM32A7Q4iR9lb5xRpzWqcdkPX6oaPULADYsaOvk7cR+KDmwR2hTGXpHaeHIo:AaO3Wx+qhXFU3DY4R+KhGShHILqoo52C |
| TLSH | T15A66339476EA6E720E20F3F5E26B14F061B2FBE3D211C5C22751565DECB1210EA88EDD |
| TrID | 57.1% (.7Z) 7-Zip compressed archive (v0.4) (8000/1) 42.8% (.7Z) 7-Zip compressed archive (gen) (6000/1) |
| Magika | sevenzip |
| Reporter |  aachum |
| Tags: | 2265ca 7z ACRStealer Amadey file-pumped pw-0555 |
iamaachum
https://cludchpfile.click/ => https://mega.nz/file/pVEE1QhY#qcmWEwYyW8tjIc_Msh1zHdVTKItTBbozBBuz5sebbPwAmadey Botnet: 2265ca
Amadey C2: http://mi.huffproofs.com/kaWt2QXfpPueNM/index.php
Intelligence
File Origin
# of uploads :
1
# of downloads :
284
Origin country :
ESFile Archive Information
This file is a password protected archive. The password is: 0555
This file archive contains 1 file(s), sorted by their relevance:
| File name: | Setup.exe |
|---|---|
| Pumped file | This file is pumped. MalwareBazaar has de-pumped it. |
| File size: | 704'977'816 bytes |
| SHA256 hash: | 962bdc61115c4f4bbf4a70a01c5adebd457cab719013ab971b6ca09dfb345c84 |
| MD5 hash: | 815be0222c24053f41867b326df738b6 |
| De-pumped file size: | 533'779'456 bytes (Vs. original size of 704'977'816 bytes) |
| De-pumped SHA256 hash: | e3f123f4c740f871f9a997003c6910ab81f542ecddc4bb6146c385a56c558195 |
| De-pumped MD5 hash: | 29abd892ad55a4a1c48254235dcfdd78 |
| MIME type: | application/x-dosexec |
| Signature | ACRStealer |
Vendor Threat Intelligence
Verdict:
Malicious
Score:
90.2%
Tags:
spawn sage
Verdict:
Unknown
File Type:
7z
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
7z Archive SFX 7z
Detection(s):
Suspicious file
Result
Malware family:
acrstealer
Score:
10/10
Tags:
family:acrstealer discovery execution spyware stealer
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Command and Scripting Interpreter: PowerShell
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Badlisted process makes network request
ACR stealer,GrMsk
Acrstealer family
Detects unpacked ACRstealer payload
Malware Config
Dropper Extraction:
http://87.120.219.26/CCZT7wMNnD29ie
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
ACRStealer
7z d49a51bbc86b86267ada38ab192f88c8d7ee210cd430beef2cae3d7af00a4d5a
(this sample)
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.